Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Catalyst: Users

Where to add access control? Override execute() or dispatch()?

  

 
Catalyst users RSS feed   Index | Next | Previous | View Threaded


moseley at hank

Aug 30, 2009, 1:17 PM

Post #1 of 2 (843 views)
Permalink
Where to add access control? Override execute() or dispatch()?
I'm in the process of adding custom access control for actions.

I've been looking over C::P::Authorization::ACL. It overrides
execute() which is run for every method called by the dispatcher,
which includes begin, auto, the action itself, and end. Depending on
how the ACLs are specified, the plugin wll block access to the actual
action, but begin, auto, and end will still run.

I'm trying to decide if this is the best approach, or if would be
better to test the ACL before dispatching. The issue is if the
request is for /foo/bar, and an ACL rule blocks that, should
Foo::(begin|end|auto) still run? Or should it act as if the /foo/bar
action doesn't exist and not run any begin, auto, or end in the Foo
controller?

--
Bill Moseley
moseley [at] hank

_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/


bobtfish at bobtfish

Sep 2, 2009, 10:42 AM

Post #2 of 2 (762 views)
Permalink
Re: Where to add access control? Override execute() or dispatch()? [In reply to]
On 30 Aug 2009, at 21:17, Bill Moseley wrote:
> I'm trying to decide if this is the best approach, or if would be
> better to test the ACL before dispatching. The issue is if the
> request is for /foo/bar, and an ACL rule blocks that, should
> Foo::(begin|end|auto) still run? Or should it act as if the /foo/bar
> action doesn't exist and not run any begin, auto, or end in the Foo
> controller?

I think that either would be a valid design decision.

I don't think that entirely shortcutting dispatch gives you as much
flexibility, and I tend to do the 'hard' part of the hit in the
terminus action anyway, so running the begin action isn't a big deal
for me.

I personally prefer it to be done on a per-action basis, as I _want_
begin / end / auto to run even in the case where the action itself is
denied (as this gives you the chance to 'whitelist' the action given
special conditions for one example, or to use the end action to
serialize an 'access denied' REST response back in a site with an API
for another example).

Cheers
t0m




_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/

Catalyst users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.